#openstack-meeting log

15:01:00 <gagehugo> #startmeeting security
15:01:00 <openstack> Meeting started Thu Feb 14 15:01:00 2019 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:02 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:04 <openstack> The meeting name has been set to 'security'
15:01:42 * fungi is around, just also in tc office hour
15:01:52 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda
15:02:04 <gagehugo> ping fungi gagehugo lhinds nickthetait browne redrobot
15:02:07 <gagehugo> o.
15:02:10 <gagehugo> o/
15:02:15 <redrobot> \o
15:04:23 <gagehugo> Only update I have is the security SIG is confirmed for a spot at the denver ptg
15:04:41 <gagehugo> fungi redrobot: anything you would like to bring up this week?
15:05:13 <redrobot> nothing on my plate, just here to 👀
15:05:17 <fungi> container-oriented folks mighth be interested in the runc vulnerability which was reported this week, though odds are they probably are already
15:05:29 <gagehugo> true
15:06:03 <fungi> i know some of the container-related teams like kolla and loci are fielding questions
15:06:27 <gagehugo> #link https://shenaniganslabs.io/2019/02/13/Dirty-Sock.html
15:06:35 <gagehugo> another thing I saw this week
15:06:48 <nickthetait> oof I'm late!
15:07:06 <gagehugo> #link https://seclists.org/oss-sec/2019/q1/119
15:07:08 <gagehugo> for docker
15:07:29 <gagehugo> nickthetait o/
15:07:36 <nickthetait> hey
15:11:52 <fungi> oh, and there's a discussion on the pypa-dev ml about how (and whether) to deal with unaddressed security vulnerabilities in packages on pypi
15:11:57 <fungi> lemme get a link
15:12:18 <gagehugo> fungi: interesting
15:12:30 <nickthetait> a whole category of vulns or different/random ones?
15:12:42 <fungi> #link https://groups.google.com/forum/#!topic/pypa-dev/9LM_rdiKC5w Handling packages with known vulnerabilities
15:12:47 <fungi> just in general, yeah
15:14:07 <fungi> oh, and a couple of interesting security-related threads on distutils-sig this week
15:14:40 <fungi> #link https://mail.python.org/archives/list/distutils-sig@python.org/thread/ZMJCBP6QFLTR2E26R223LN47OROMBGG3/ Question on Python Package scanning
15:15:00 <fungi> #link https://mail.python.org/archives/list/distutils-sig@python.org/thread/WPQDP73N7IINXX36UAOG7YDYHD7MYU4X/ API for SHA-256 fingerprints
15:16:32 <gagehugo> nice
15:17:32 <fungi> er, that was the wrong title for that link, was the pip+safety thread
15:17:45 <fungi> #link https://mail.python.org/archives/list/distutils-sig@python.org/thread/WPQDP73N7IINXX36UAOG7YDYHD7MYU4X/ pip + safety
15:18:08 <fungi> #link https://mail.python.org/archives/list/distutils-sig@python.org/thread/FLNOENK2525RMHGL7SV2SBUXKSOJHSEZ/ API for SHA-256 fingerprints
15:18:44 <fungi> that last one gets into the weeds on md5 and misunderstandings on the ways in which it's broken
15:21:09 <gagehugo> yeah I added to my to-read list heh
15:21:23 <gagehugo> added it*
15:25:49 <gagehugo> anything else?
15:25:54 <nickthetait> no
15:26:57 <gagehugo> btw I said it earlier but the SIG will likely have a spot at the PTG, I don't think the final details have been decided yet
15:27:30 <nickthetait> nice
15:29:44 <gagehugo> so hopefully we can all see each other there :D
15:30:27 <gagehugo> thanks for coming everyone, have a good weekend!
15:30:30 <gagehugo> #endmeeting